Microsoft Intune

Pros

Coverage of all three management categories.

Comprehensive set of policies covering a wide range of security settings.

Cons

No device location capability.

No way to customize dashboard.

Bottom Line

If you're a Microsoft shop and you already use any of their management products, you probably don't want to go to another vendor for mobile device management (MDM).
If you're not Microsoft-centric, however, then there are better feature sets available on other platforms.

10 Oct 2017

Microsoft has made steady progress since we last looked at their Intune mobile device management (MDM) entry. The obvious push from their marketing and technical directions is, of course, to move customers towards their Enterprise Mobility + Security (EMS) Suite, a bundle SKU that combines Intune with various Microsoft Azure security and identity management products. All management console development has been focused on the updated Azure portal experience, while the legacy administration function still remains available. Feature parity between the two experiences has not been reached yet, but expect the Azure experience to catch up and surpass the older tool. Still, with some work left to go on the current version, the Intune and Azure pairing remains a bit behind some of the competition, notably VMware AirWatch, our Editors' Choice winner in this category.

Part of the difficulty is that you can't have a conversation with anyone on the Microsoft EMM team about delivering simple core MDM capabilities. According to Microsoft, it's not what customers want and therefore not what they're focused on delivering. With that thought in mind, it's easy to overlook some of the functionality available with a focus on just MDM. Microsoft has leveraged its Microsoft Azure Active Directory (AD) service to give customers high-grade identity management capabilities that are tightly integrated with Intune MDM.

When you step up to the EMM product E3 and E5 tiers, you add Azure AD Premium in addition to Microsoft's Azure Information Protection and Advanced Threat Analytics capabilities. The highest tier also adds Cloud App security and a number of high-end document management features intended to let administrators protect data at the file level no matter what devices are used to access it. Add to that the recent partnership with Citrix and you have an interesting array of possibilities. Why would you want both Citrix and Microsoft EMM? The answer is in the applications. Citrix has a huge number of corporate customers that use their XenDesktop and Citrix Receiver products. The cooperative agreement between the two companies brings the best of both worlds together.

Installation and Device Registration

Signing up for a Microsoft Intune trial is one of the easier evaluation processes of all the products in this roundup. After entering the initial account information, I was able to start registering devices in under 10 minutes. However, device registration is a little different with Intune than some of the other products. For all three platforms, you must download the Intune Company Portal app and log in with your Intune user credentials. This will download the app and launch any additional required steps, such as adding certificates on iOS devices. On iOS, it's possible to enroll corporate devices by serial number, making it much easier to bring multiple devices under management.

Microsoft Intune provides a user roll called the Device Enrollment Manager. This role can be given to any registered user and lets that user register more than the normal five-device limitation. Using this approach makes it possible to delegate an enrollment task to an administrative person, giving them responsibility for all company-owned devices for one group of users.

The first time you launch the management console, you will be prompted to install Microsoft Silverlight if you haven't done that previously. Be sure you uncheck the two checkboxes for "Make Bing my search engine" and "Make MSN my homepage" unless you'd like the Silverlight installer to make those changes for you. Silverlight is compatible with all of the major browsers so that shouldn't be a problem. It is a bit annoying to have to uncheck something to prevent modification of your current browser settings. Still, overall, Microsoft Intune had one of the easiest all-around registration processes I encountered.

Management and Policies

Microsoft offers two options for managing Intune. The first is basically the same as we reviewed previously. The latest version is part of the new Azure portal. The main dashboard page adheres to a similar theme as other Azure management tools. With this new Azure version ,you now have the ability to customize the dashboard as you can with other products such as VMware AirWatch and IBM MaaS360. Device location is now possible for corporate-owned iOS devices enrolled through DEP and configured in supervised mode. Support for geolocation on other devices is planned for a future release.

Reporting includes a nice range of canned reports covering most of the information you'd typically want to get out of your MDM system. Generating a new report launches a new web browser page with a search box, print, and export buttons. Some reports, such as Device History, let you enter a time period up to 90 days prior. You can also save any report with custom selections to save time later. Intune does not provide a way to create new reports or customize any existing ones.

Creating and modifying policies happens from within the Policy section of the administration portal. The initial screen gives a quick status of current policies and indicates problems with a red circle containing an exclamation point. The process of creating a new policy uses a wizard-based approach to lead you through the required steps. Each platform includes a list of available policy templates which must be customized to pick and choose from a list of settings. The templates themselves cannot be modified and you are limited to using the templates provided. That being said, the list of options is quite extensive and should cover anything you would need to either configure or constrict on any supported platform.

Microsoft does make it easy to get help from any of the management pages, including from within action dialog boxes such as the Retire/Wipe box. I was able to use this process to remove the Windows Mobile device from the list of managed devices. For Android devices, you can now remotely control the screen using Teamviewer, although the process to initiate a session is cumbersome when compared to other solutions.

Still A High Price

Microsoft prices the Basic Intune plan at $6 per device per month, for up to five devices. If a user actually had five devices, that would work out to $1.20 per device, which is pretty good. However, two devices per user is a far more realistic expectation, and would make the per-device price $3. An actual final price would probably be somewhere between $4 and $5 per device based on the large majority of users typically having a single device (phone), which would be the one device under management.

Pricing for Intune as part of the EMS suite is publicly available on the Microsoft EMS pricing page and starts at $8.74 per device per month for an E3 subscription offering Azure AD Premium, Microsoft Intune, Azure Rights Management, and Microsoft Advanced Threat Analytics. At the high end, Microsoft offers their E5 subscription, which will cost you $14.80 per device per month, adding Advanced Threat Analytics and Cloud App Security to the E3 tier.

Overall, Intune delivers a solid package including all of the basic MDM features for the three major platforms. It integrates with all of Microsoft's infrastructure management tools, such as System Center Configuration Manager, should you already be using that tool. It also tightly integrates with either on-premises AD or Azure AD for user authentication. Support for Windows Mobile devices is the most robust of all the products reviewed as you'd expect. The additional features provided in their EMS Suite are definitely worth the money.

Microsoft Intune

Bottom Line: Microsoft Intune still represents one of the best device management options for folks running Microsoft-centric environments. The bundle options with Azure-based identity and security tools have matured and represent a powerful growth path. However, the price will be substantial and, for those running non-Microsoft platforms, there are some overlooked features, too.